krb5 commit: GENC should always export composite names
Greg Hudson
ghudson at MIT.EDU
Wed Oct 3 12:47:27 EDT 2012
https://github.com/krb5/krb5/commit/123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85
commit 123ff4cb9bdd2e13aa6b636c98a7fc3f9ee06f85
Author: Luke Howard <lukeh at padl.com>
Date: Sat Sep 1 11:08:27 2012 +1000
GENC should always export composite names
RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02. So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.
[ghudson at mit.edu: expanded commit message]
ticket: 7400 (new)
src/lib/gssapi/krb5/import_name.c | 9 ++++++---
src/lib/gssapi/krb5/naming_exts.c | 13 ++++++-------
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
index ebc2a7b..394aca4 100644
--- a/src/lib/gssapi/krb5/import_name.c
+++ b/src/lib/gssapi/krb5/import_name.c
@@ -57,6 +57,9 @@ import_name_composite(krb5_context context,
krb5_error_code code;
krb5_data data;
+ if (enc_length == 0)
+ return 0;
+
code = krb5_authdata_context_init(context, &ad_context);
if (code != 0)
return code;
@@ -133,7 +136,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
#ifndef NO_PASSWORD
struct passwd *pw;
#endif
- int has_ad = 0;
+ int is_composite = 0;
krb5_authdata_context ad_context = NULL;
OM_uint32 status = GSS_S_FAILURE;
krb5_gss_name_t name;
@@ -232,7 +235,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
case 0x01:
break;
case 0x02:
- has_ad++; /* is composite name */
+ is_composite++;
break;
default:
goto fail_name;
@@ -272,7 +275,7 @@ krb5_gss_import_name(minor_status, input_name_buffer,
stringrep = tmp2;
cp += length;
- if (has_ad) {
+ if (is_composite) {
BOUNDS_CHECK(cp, end, 4);
length = *cp++;
length = (length << 8) | *cp++;
diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c
index f48b1cb..535311e 100644
--- a/src/lib/gssapi/krb5/naming_exts.c
+++ b/src/lib/gssapi/krb5/naming_exts.c
@@ -673,8 +673,9 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
/* 04 02 OID Name AuthData */
exp_composite_name->length = 10 + gss_mech_krb5->length + princlen;
+ exp_composite_name->length += 4; /* length of encoded attributes */
if (attrs != NULL)
- exp_composite_name->length += 4 + attrs->length;
+ exp_composite_name->length += attrs->length;
exp_composite_name->value = malloc(exp_composite_name->length);
if (exp_composite_name->value == NULL) {
code = ENOMEM;
@@ -685,10 +686,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
/* Note: we assume the OID will be less than 128 bytes... */
*cp++ = 0x04;
- if (attrs != NULL)
- *cp++ = 0x02;
- else
- *cp++ = 0x01;
+ *cp++ = 0x02;
store_16_be(gss_mech_krb5->length + 2, cp);
cp += 2;
@@ -702,9 +700,10 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
memcpy(cp, princstr, princlen);
cp += princlen;
+ store_32_be(attrs != NULL ? attrs->length : 0, cp);
+ cp += 4;
+
if (attrs != NULL) {
- store_32_be(attrs->length, cp);
- cp += 4;
memcpy(cp, attrs->data, attrs->length);
cp += attrs->length;
}
More information about the cvs-krb5
mailing list